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ABSTRACT 

We present a controller synthesis algorithm for a discrete 
time reach-avoid problem in the presence of adversaries. Our 
model of the adversary captures typical malicious attacks en¬ 
visioned on cyber-physical systems such as sensor spoofing, 
controller corruption, and actuator intrusion. After formu¬ 
lating the problem in a general setting, we present a sound 
and complete algorithm for the case with linear dynamics 
and an adversary with a budget on the total L2-norm of 
its actions. The algorithm relies on a result from linear 
control theory that enables us to decompose and precisely 
compute the reachable states of the system in terms of a 
symbolic simulation of the adversary-free dynamics and the 
total uncertainty induced by the adversary. With this de¬ 
composition, the synthesis problem eliminates the universal 
quantifier on the adversary’s choices and the symbolic con¬ 
troller actions can be effectively solved using an SMT solver. 
The constraints induced by the adversary are computed by 
solving second-order cone programmings. The algorithm is 
later extended to synthesize state-dependent controller and 
to generate attacks for the adversary. We present prelimi¬ 
nary experimental results that show the effectiveness of this 
approach on several example problems. 

Keywords 

Cyber-physical security, constraint-based synthesis, controller 
synthesis 

1. INTRODUCTION 

We study a discrete time synthesis problem for a plant 
simultaneously acted-upon by a controller and an adver¬ 
sary. Synthesizing controller strategies for stabilization in 
the face of random noise or disturbances is one of the classi¬ 
cal problem in control theory [1,2]. Synthesis for temporal 
logic specifications [3-5], for discrete, continuous, and hy- 


Permission to make digital or hard copies of all or part of this work for personal or 
classroom use is granted without fee provided that copies are not made or distributed 
for profit or commercial advantage and that copies bear this notice and the full citation 
on the first page. To copy otherwise, to republish, to post on servers or to redistribute 
to lists, requires prior specific permission and/or a fee. 

Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$15.00. 


brid systems have been studied in detail. The reach-avoid 
properties that our controllers target are special, bounded¬ 
time temporal logic requirements, and they have received 
special attention as well [6]. Unlike the existing models in 
controller synthesis literature, however, the system here is 
afflicted by an adversary and we would like to synthesize 
a controller that guarantees its safety and liveness for all 
possible choices made by the adversary. 

This problem is motivated by the urgent social to secure 
control modules in critical infrastructures and safety-critical 
systems against malicious attacks [7, 8] . Common modes of 
attack include sensor spoohng or jamming, malicious code, 
and actuator intrusion. Abstracting the mechanisms used to 
launch the attacks, their effect on physical plant can be cap¬ 
tured as a switched system with inputs from the controller 
and the adversary: 

Xt + l = fat{Xt,Ut,at), 

where Xt is the state of the system, Ut and at are the inputs 
from the controller and the adversary. The problem is pa¬ 
rameterized by a family of dynamical functions {/o-jo-gs, a 
switching signal {(Tt}tgN, a time bound T, the set of initial 
sates (Init), target states (Goal), safe states (Safe), the set 
of choices available to the adversary (Adv) and the controller 
(Ctr). A natural decision problem is to ask: Does there exist 
a controller strategy u G Ctr such that for any initial state 
in Init, and any choice by the adversary in Adv the system 
remains Safe and reaches Goal within time T. A construc¬ 
tive affirmative answer can be used to implement controllers 
that are Adu-resilient, while a negative answer can inform 
the system design choices that influence the other parame¬ 
ters like /, T and Ctr. 

We provide a decision procedure for this problem for the 
special case where / is a linear mapping, the sets Init, Safe, 
Goal, and Ctr sets are given as by polytopic sets and Adv is 
given as an Gf ball in an Euclidean space. The idea be¬ 
hind the algorithm is a novel decomposition that distin¬ 
guishes it from the LTL-based synthesis approaches [3] and 
reachability-based techniques of [6]. The key to this decom¬ 
position is the concept of adversarial leverage: the uncer¬ 
tainty in the state of the system induced by the sequence of 
choices made by the adversary, for a given initial state and a 
sequence of choices made by the controller. For linear mod¬ 
els, we show that the adversary leverage can be computed 
exactly. As a result, an adversary-free synthesis problem 
with a modified set of Safe and Goal requirements, precisely 


gives the solution for the problem with adversary. 

We implement the algorithm with a convex optimization 
package CVXOPT [9] and an SMT solver Z3 [10]. We present 
experimental results that show the effectiveness of this ap¬ 
proach on several example problems. The algorithm synthe¬ 
sizes adversary-resilient control for systems with up to 16 
dimensions in minutes. We have that the algorithm can be 
applied to to analyze the maximum power of the adversary 
such that a feasible solution exists and to synthesize attacks 
for adversary. 

Advancing Science of Security. 

Scientihc security analysis is necessarily parameterized by 
the the skill and effort level of the adversary. In this pa¬ 
per we combine these parameters into a single parameter 
called the budget of the adversary which can model sensor 
attacks and actuator intrusions with different strengths and 
persistence. We present the foundations for analyzing cyber¬ 
physical systems under attack from these adversaries with 
different budgets. Specihcally, we develop algorithms for 
both automatic synthesis of safe controllers and for proving 
that there exists no satisfactory controller, when the adver¬ 
sary has a certain budget. These algorithms can be also 
used to characterize vulnerability of system states in terms 
of the adversary budget that make them infeasible for safe 
control. In summary, we present a framework for algorith¬ 
mically studying security of cyberphysical systems in the 
context of model-based development. 

2. RELATED WORK 

In this work, we employ SMT solvers to synthesize con¬ 
trollers for reach-avoid problems for discrete-time linear sys¬ 
tems with adversaries. Our problem is formulated along the 
line of the framework and fundamental design goals of [7, 11] . 
The framework was applied to study optimal control design 
with respect a given objective function under security con¬ 
straints [12] and the detection of computer attacks with the 
knowledge of the physical system ]13]. Similar frameworks 
were adopted in [14] where the authors proposed an effec¬ 
tive algorithm to estimate the system states and designed 
feedback controllers to stabilize the system under adver¬ 
saries, and in [15] where a optimal controller is designed 
for a distributed control system with communication delays. 
Although the motivation of the above studies are similar to 
ours, we focus on another aspect of the problem which is to 
synthesize attack-resilient control automatically. 

The idea of using SMT solvers to synthesize feedback con¬ 
trollers for control systems is inspired by recent works [16, 
17]. In [16], the authors used SMT solvers to synthesize in¬ 
tegrated task and motion plans by constructing a placement 
graph. In ]17], a constraint-based approach was developed 
to solve games on infinite graphs between the system and 
the adversary. Our work extend the idea of constraint-based 
synthesis by introducing control theoretic approaches to de¬ 
rived the constraints. 

The authors of [6, 18] proposed a game theoretical ap¬ 
proach to synthesize controller for the reach-avoid problem, 
first for continuous and later for switched systems. In these 
approaches, the reach set of the system is computed by solv¬ 
ing a non-linear Hamilton-Jacobi-Isaacs PDE. Our method¬ 
ology, instead of formulating a general optimization problem 
for which the solution may not be easily computable, solves 
a special case exactly and efficiently. With this building 


block, we are able to solve more general problems through 
abstraction and refinement. 

3. PROBLEM STATEMENT 

In this paper, we focus on discrete linear time varying 
(LTV) systems. Consider the discrete type linear control 
system evolving according to the equation: 

xt+i = AtXt BtUt CtUt, ( 1 ) 

where for each time instant t £ N, G A C R’’ is the state 
vector of the controlled plant, ut G W C R"* is controller 
input to the plant, and at € A Q M.’’ is adversarial input to 
the plant. For a hxed time horizon T G N, let us denote 
sequences of controller and adversary inputs by u G 
and a G In addition to the sequence of matrices At, 
Bt, Ct, and a time bound T, the linear adversarial reach- 
avoid control problem or ARAC in short is parameterized 
by: (i) three sets of states Init, Safe, Goal C X called the 
initial, safe and goal states, (ii) a set Ctr C called the 
controller constraints, and (hi) a set Adv C A'^ called the 
adversary constraints. We will assume hnite representations 
of these sets such as polytopes and we will state these repre¬ 
sentational assumptions explicitly later. A controller input 
sequence u is admissible if it meets the constraints Ctr, that 
is, u G Ctr, and a adversarial input sequence is admissible 
if a G Adv. We define what is means to solve a ARAC 
problem with an open loop controller strategy. 

Definition 1. A solution to a ARAC is an input sequence 
u G Ctr such that for any initial state x G Init and any 
admissible sequence of adversarial inputs a G Adv, the states 
visited by the system satisfies the condition: 

• (Safe) for all t £ {0,..., T}, xt G Safe and 

• (Winning) xt G Goal. 

In this paper we propose an algorithm that given a ARAC 
problem, either computes its solution or proves that there 
is none. In the next section, we discuss how the problem 
captures instances of control synthesis problems for cyber¬ 
physical systems under several different types of attacks. 

Helicopter Autopilot Example 

To make this discussion concrete we consider an autonomous 
helicopter. The state vector of the plant x G R^®; the con¬ 
trol input vector u G R'* with bounded range of each com¬ 
ponent. The descriptions of the state and input vectors are 
in Table 1. The dynamics of the helicopter is given in [19], 
which can be discretized into a linear time-invariant system: 
xt+\ = Axt -\- But. The auto-pilot is supposed to take the 
helicopter to a waypoint in a 3D-maze within a bounded 
time T (Goal) and avoid the mapped building and trees. 
The complement of these obstacles in the 3D space define 
the Safe set (see Figure 1). 

The computation of the control inputs (ut) typically in¬ 
volves sensing the observable part of the states, computing 
the inputs to the plant, and feeding the inputs through actu¬ 
ators. In a cyber-physical system, the mechanisms involved 
in each of these steps can be attacked and different attacks 
give rise to different instances of ARAC. 

Controller and Actuator attacks. An adversary with soft¬ 
ware privileges may compromise a part of the controller soft¬ 
ware. A network-level adversary may inject spurious packets 



Figure 1: Helicopter fly through scene. Red boxes are the 
obstacles, the cyan box on the right is the goal states, the 
green ball on the left is a set of initial states and the blue 
curve is a sampled trajectory of the helicopter with a random 
adversary input. 


in the channel between the controller and the actuator. An 
adversary with hardware access may directly tamper with 
the actuator and add an input signal of at- Under many 
circumstances, it is reasonable to expect these attacks to be 
transient or short-lived compared T (for example, otherwise 
they will be diagnosed and mitigated). Then the actual in¬ 
put to the system becomes u't = ut + at and the dynamics of 
the complete system is modified to xt+i = Axt + But + Bat, 
which gives an instance of ARAC. 

Sensor attacks. Another type of adversary spoofs the he¬ 
licopter’s sensors, the GPS, the gyroscope, so that the po¬ 
sition estimator is noisy. Consider a control systems where 
the adversary-free control Ut is a function on the sequence 
of sensor data. If the adversary injects an additive error 
to the sensors, then the control inputs computed based on 
this inaccurate data will be added an error; also the initial 
state will have uncertainty. We model the additive error 
by the adversary input at- Once again, this gives rise to 
an instance of ARAC. Assuming that the injection of at 
requires energy and that the adversary has limited energy 
for launching the attack then gives rise the adversary class 
Adv = ^ where b is the energy budget. 


States/ Inputs 

Description 

[px,Py-,Pz] 

Cartesian Coordinates 

[u, V, w] 

Cartesian Velocities 

[p, Q, r] 

Euler Angular Rates 

\a, b, c, d] 

Flapping Angles 

[P,(t>,9] 

Euler Angles 

Uz 

Lateral Cyclic Deflection in [-1,1] 

Ux 

Longitudinal Cyclic Deflection in [-1,1] 

Up 

Pedal Control Input in [-1,1] 

Uc 

Collective Control Input in [0,1] 


Table 1: States and inputs of the helicopter model. 


4. ALGORITHM FOR LINEAR ARAC 


4.1 Preliminaries and Notations 

For a natural number n € N, [n] is the set {0,1,..., n— 1}. 
For a sequence A of objects of any type with n elements, we 
refer to the element, i < nhy At. For a real-valued vector 
V £ R", ||u|| is its £^-norm. For 5 > 0, the set Bs{v) denotes 
the closed ball {x € R"' | ||u — a;|| < d} centered at v. For 
a parameter e > 0 and a compact set A C R”, an e-cover of 
A is a finite set C = {aijig/ C A such that Uig/Se(ai) 3 A. 
For two sets A, B C R", the direct sum A(B B = {x £ R’’ : 
3a £ A, 3b £ B, a + b = x}. For a vector v, we denote A © u 
as A © {u}. Sets in R" will be represented by finite union 
of balls or polytopes. An n-dimensional polytope P = {x £ 
R" : Ax < b} is specified by a matrix A G 
a vector b £ R"”, where m is the number of constraints. A 
polytopic set is a finite union of polytopes and is specified by 
a sequence of matrices and vectors. A polytopic set can be 
written in Conjunctive Normal Form (CNF), where (i) the 
complete formula is a conjunction of clauses, and (ii) each 
clauses is disjunction of linear inequalities. 

In this paper, we will assume that the initial set Init is 
given as a ball Bs{0) C X for some 9 £ X and d > 0. We 
also fix the time horizon T. The set Adv is specified by a 
budget b > 0: Adv = {a G 
Ctr is specified by a poly topic set. 

For a sequence of matrices {AtjtgN, for any 0 < to < ti, 
we denote the transition matrix from to to t\ inductively as 
a{ti,to) = At^_ia(fi — l,to) and a{to,to) = I. 

A trajectory of length T for the system is a sequence 
xo, Xi,..., XT such that xo € Init and each Xt+i is induc¬ 
tively obtained from Equation (1) by the application of some 
admissable controller and adversary inputs. The state of 
a trajectory is uniquely defined by the choice of an initial 
state Xo € Init, an admissible control input u G Ctr and an 
admissible adversary input a G Adv. We denote this state 
as (,{xo,vL,a,t). 

The notion of a trajectory is naturally extended to sets of 
trajectories with sets of initial states and inputs. For a time 
t G [T + 1], a subset of initial states 0 C Init, a subset of 
adversary inputs A C Adv, and a subset of controller inputs 
U C Ctr, we define; 

Reach(0,U, A,f) = {^(a;o,u, a, t) : lo G 0 A a G A}. 

For a singleton u G W, we write Reach(0, {u}, Adu, t) as 
Reach (0, u, t). To solve ARAC then we have to decide if 

3 u G Ctr : (Atg[T+i] Reach (/nit, u, t) C Safe) 

A Reach (/mf, u, T) C Coal. 

This representation hides the dependence of the Reach sets 
on the set of adversary choices. 

4.2 Decoupling 

In this section, we present a technique to decouple the 
ARAC problem. The decomposition relies on a result from 
robust control that enables us to precisely compute the reach¬ 
able states of the system in terms of a symbolic simulation 
of the adversary-free dynamics and the total uncertainty in¬ 
duced by the adversary. In Section 4.6, we present an algo¬ 
rithm that performs this decomposition such as to eliminate 
the universal quantifier on the adversary’s choices and initial 
states in Definition 2 and 3. 

4.3 Adversarial Leverage 











Definition 2. For any t £ [T + 1], the adversary leverage 
at t, initial state xo € Init, and any control u € Ctr, the 
adversary leverage is a set R{xe,\i,t) such that 

Reach(a;o, u, t) = ^{xo, u, 0, t) © R{xo, u, t) (3) 

Informally, the adversary leverage captures how much an ad¬ 
versary can drive the trajectory from an adversary-free tra- 
jectory.lt decomposes the reach set Reach (a:o, u, t) into two 
parts: a deterministic adversary-free trajectory 5(xo,u, 0), 
and the reachtube R{xo,u,t) that captures the nondeter¬ 
minism introduced by the adversary. Our solution for A RAC 
heavily relies on computing over-approximations of reach 
sets and to that end, observe that is suffices to over-approximate 
adversary leverage. For certain classes of non-linear systems, 
it can be over-approximated statically using techniques from 
robust control, such as Hoo control. It can also be approx¬ 
imated dynamically by reachability algorithms that handle 
nondeterministic modes (see, for example [20,21]). 

For the ARAC problem with linear dynamics described 
in (1), where the adversary input Adu = {a £ 

< 6} is dehned by a budget b > 0, we can compute adver¬ 
sary leverage precisely. The following lemma is completely 
standard in linear control theory. 

Lemma 1. For any time t £ [T + 1], if the controllability 
Gramian of the adversary Wt = X]!=o s+l)CsCj (t, s+ 

1 ) is invertible, then 

R{xo, u, f) = {a; £ R" : x'^Wf^x < b} 

is the precise adversary leverage at t. 

Proof. For t £ [T© 1], we have 

t-i t-i 

Xt = a{t, 0)a;o + ^ a{t, s+l)BsUs+'^ a{t, s + ljCsa^. (4) 

s=0 s=0 

Since (,{xo, u, 0, t) = A^xq + ® ^)^sUs, we have 

t-l T-l 

R{xo,u,t) = {a; £ R" : a: = ^ Q:(t, s+ljCsUs A ^ ||as||^ < b}, 

s=0 t=0 

which is the set {a: £ R" : x^W^f^x < 6}, with controllabil¬ 
ity Gramian Wt- □ 

The above lemma establishes a precise adversary leverage 
as an ellipsoid defined by the controllability Gramian Wt 
and b. In this case, the ellipsoid is independent of a;o an u 
and only depends on t. Here on, we will drop the arguments 
of R when they are reduandant or clear from context. If Wt 
is singular for some t £ [T + 1], then replace the inverse of 
Wt by its pseudo-inverse and the set R is an ellipsoid in the 
controllable subspace. 

4.4 Uncertainty in Initial Set 

Following the above discussion, we show that a similar 
decomposition of the reachable states is possible with respect 
to the uncertainty in the initial state. 

Definition 3. Consider the initial set Init to he Bsixo) for 
some (5 > 0 and xq £ X. For a t £ [T + 1] and a control 
input u, the initialization factor at t is a set B{xo, u, t), such 
that 

Reach ( 55 ( 3 : 0 ), u, 0,f) = 5(a;o,u,0,f) ©5(xo,u,t). (5) 


The initialization factor captures the degree to which the 
uncertainty S in the initial set can make the adversary-free 
trajectories deviate. For general nonlinear models, we will 
have to rely on over-approximating initialization factor [], 
but for the liner version of ARAC the following lemma pro¬ 
vides a precise procedure for computing it. 

Lemma 2. For an initial set Init = Bs{0) C R”, for any 
t £ \T -\- 1], input u £ Ctr, if the matrix a{t,0)^a{t,0) is 
invertible then 

5(0, u, t) = { 2 ; £ R" : x"'"[a^{t,0)a{t,(i)]~^x < 
is the precise initialization factor at t. 

If the matrix A is singular, then a similar statement holds 
in terms of the pseudo-inverse of [Q^(t, 0)a{t, 0)]. Thus, ini¬ 
tialization factor is an ellipsoid defined by A, t and 5 and is 
independent of xq an u. We will drop the arguments of 5 
when they are redundant or clear from context. 

4.5 Adversary-free Constraints 

Using the decomposition of the reach set given by the 
above lemmas, we will first solve a new reach-avoid syn¬ 
thesis problem for the adversary-free system. To construct 
this new problem we will modify the safety and winning 
constraints of the ARAC. For a given time instant, the 
new constraints are obtained using the same approach as 
in robotic planning with The synthesis problem requires a 
solution to a sequence of such problems. 

Definition 4. Given a set S C R" and a compact convex 
set R C R", a set S' C R" is a strengthening of S by 5 if 

S'®RCS. (6) 

A strengthening S' is precise if it equals R (B S. The 
strengthening S' is a subset of S that is shrunk by the set 
R. If 5 is a polytopic set and 5 is a convex compact set 
then exact solutions to the following optimization problem 
yields precise strengthening. 

Lemma 3. For a half hyperplane S = {x £ R" : c^x < 6} 
and a convex compact set R, a precise strengthening of S by 
R is S' = {x £ R" : c'^x < b — c^x*} such that 

X* = arsmin—c^x. (7) 

Proof. Fix any x £ R and y £ S'. From the definition of S', 
c'^y + b* < b. Since x* minimizes —c'^x in R and x £ R, 
we have —c^x > —c^x* = b*. It follows that cF{x + y) < 
Fy + c^x* < c^y + b* < b. Thus a: + y £ S' and therefore 
S' © 5 C S. 

For any y £ S, it holds that c^y < b. Let y' = y — x*. It 

follows that Fy' = Fy — Fx* < b — Fx*. Thus y' £ S'. 

Combined with x* £ R, y = y' + x* £ S' (B R. Therefore 
S' © 5 c S. □ 

Since a polytopic set is a union of intersections of linear 
inequalities, the above lemma generalizes to polytopic sets 
in natural way. 

Corollary 4. For a polytopic set S = {x £ W : 'Biiz[m\Fx< 
hi] and a compact convex set R C R", 

S' = {a:£R" ; \J A,x<bi-b*}, 

iG [m] 


is a precise strengthening of S by R. Here the element 
of b* equals cFx* with cF being the row of Ai and x* is 
the solution of (7). 

4.6 An Algorithm for Linear ^7?^ c 

We present algorithm 1 for solving the linear version of 
the ARAC problem. 


Algorithm 1: Synthesis{lnit, Safe, Goal, Adv,Ctr,T) 

1 for t G [T + 1] do 

2 Rt ■(—AdvDrift(Adv,t)-, 

3 Bt <—InitCover{Init,t)-, 

4 Safe[ Strengthen{Safe, Rt, Bt)', 

5 end 

6 Goal' <r- Strengthen{Goal, Rt, Bt); 

7 (u, Failed) ^ SolveSMT{e, Safe', Goal', Ctr, T); 

8 return (u, Failed) 


The subroutine AdvDrift computes a precise adversary 
leverage Rt for every time t G [r+ 1]. From Lemma 1, is 
an ellipsoid represented by the controllability Gramian and 
the constant b. The subroutine InitCover computes a ini¬ 
tialization factor described in Lemma 2 for each t. The sub¬ 
routine Strengthen computes a precise strengthening of the 
safety constraints Safe by both sets Rt and Bt . From Corol¬ 
lary 4, the strengthening is computed by solving a sequence 
of optimization problems. Since Rt and Bt are both ellip¬ 
soids (Lemma 1 and 2), the optimization problems solved by 
Strengthen are quadratically constrained linear optimization 
problems and are solved efficiently by second-order cone pro¬ 
gramming [22] or semidefinite programming [23]. For each 
t G [T-f 1], the set Safe is strengthened by the corresponding 
adversary drift Rt to get Safe'^. The Goal set is strength¬ 
ened respect to the adversary drift at the final time T to get 
Goal' . Finally, SolveSMT makes a call to an SMT solver 
to check if there exists a satisfiable assignment u G Ctr for 
quantifier-free formula (8): 

3 u G Ctr A 

(At6[T+i]C(6',u, 0,t) G Sa/eO A i{e,u,0,T) £ Goal'. 

( 8 ) 

For the class of problems we generate, the SMT solver ter¬ 
minates and either returns a satisfying assignment u or it 
proclaims the problem is unsatisfiable by returning Failed. 
If AdvDrift, InitCover and Strengthen compute adversary 
leverage, initialization factor and strengthening precisely, 
then Algorithm 1 is a sound and complete for the linear 
ARAC problem. 

Theorem 5. Algorithm 1 outputs u G Ctr if and only if u 
solves ARAC. 


Proof. Suppose Algorithm returns u G Ctr. We will first 
show that u solves ARAC. Since u satisfies constraints (8), 
for every t £ [T-|-1], ^{6, u, 0, t) £ St. Since St is a strength¬ 
ening of Safe by Rt and Bt, we have St (B Rt (B Bt C Safe. 
Thus, 

(9) 


By Definition 2 and 3, we have 

f,{6,u,0,t) (B Safe'^ (B Bt B Reach(d,u,Adv,t) (B Bt 
B Reach (Init, u, t). 

( 10 ) 

Combining (9) and (10), we have Reach (/mf, u, t) C Safe. 
That is the safety condition of (2) holds. Similarly, since 
Goal' is the strengthening of Goal by Rt and Bt, we have 
Reach (/nit, u, T) C Goal. The winning condition also holds. 

On the other side, suppose u G Ctr solves ARAC, it 
satisfies (2). Since the adversary leverage Rt, initialization 
factor Bt and strengthening Safe', Goal' are computed pre¬ 
cisely, Equations (9) and (10) take equality. Thus, for any 
t £ [T 3- 1], ^(0,u, 0,t) G Safe'^ and ^{0,u,0,T) G Goal'. 
Therefore u is returned by Algorithm 1. □ 

The completeness of the algorithm is based on two facts: 
(i) adversary leverage, initialization factor and strengthen¬ 
ing can be computed precisely, and (ii) the SMT solver is 
complete for formula (8). The exact computation of adver¬ 
sary leverage and initialization factor require that the ini¬ 
tial state Init and admissible adversary Adv are described 
by balls. Since Ctr, Safe' and Goal' are polytopic sets, 
formula (8) is a quantifier-free theory in linear arithmetic, 
which can be solved efficiently for example by algorithm 
DPLL(T) [24]. 

5. GENERALIZATIONS 

In this section, we discuss two orthogonal generalizations 
of linear ARAC and algorithms for solving them building on 
the algorithm Synthesis. First in Section 5.1, we present an 
approximate approach to solve a problem where Init, Adv 
and Ctr are general compact convex sets. Then, in Sec¬ 
tion 5.2, we modified the definition of linear ARAC problem 
such that the controller can be a function of the initial states. 
A solution of this problem is a look-up table, where the con¬ 
troller choose a sequence of open loop control depending on 
the initial state. 

5.1 Synthesis for Generalized Sets 

We generalize the linear ARAC problem described in Sec¬ 
tion 4.1 such that Init C X, Ctr C lA^ and Adv C are 
assumed to be some compact subsets of Euclidean space. 
For a precision parameter e > 0, the generalized ARAC 
problem can be approximated by a linear ARAC problem. 
We define robustness of a ARAC problem. 

We present an extension of Synthesis to solve this prob¬ 
lem. For a parameter e > 0, and compact convex sets 
Init, Adc, Ctr, we construct a tuple (0, A,C) such that 

(i) 0 = {dijigi is an e-cover of initial set Init, that is, 
Init C UiBe(6i). 

(ii) A = {aj}j6J is an e-cover of the adversary. Here each 
SLj is seen as a vector in Euclidean space and the 
union of e-balls around each over-approximates Adv. 

(hi) C C Ctr C is a polytopic set such that dniC, Ctr) < 
e. That is, C under-approximates the actual constraints 
of control Ctr, with error bounded by e measured by 
Hausdorff distance. 

The modified algorithm to approximately solve the gener¬ 
alized ARAC problem follows the same steps as Algorithm 1 


f,{9, u, 0, t) (B St (B Bt Q Safe. 






from line 1 to line 6. The only change is in line 7, where 
instead of solving an SMT formula (8) we solve (11). 

3 u : u G C A 

(Ate[T+i] AiGj e Safe[) A (11) 

{Ai£i Aj^j ^{6,\ii,a.j^T) ^ Goal') 

The soundness of this modified algorithm is independent 
of the choice of e > 0. That is, if it returns a satisfiable 
assignment u, then u solves the ARAC problem. 

Lemma 6. If the modified algorithm returns u G C, then u 
solves linear generalized ARAC. 

Proof. Suppose u G C C Ctr satisfies (11). Since 0 and A 
are e-cover of Init and Adv, there exist a initial state Oi G 
for any t G [T 3- 1] we have 

Reach {Init, u, Adv, t) Q Reach{Ui(=iBe{Oi),u,Uj(=jBe{a.j),t). 

Let Rt and Bt be the precise adversary leverage and initial¬ 
ization factor as in Algorithm 1. From Lemma 1 and 2, Rt 
and Bt are independent on the initial state and adversary 
input. Therefore, 

Reach {Init, u, Adv, t) 

= U^eIUjeJf<each{Be{e,),u,Be{li.j),t) 

= UieiUjsJ {^{ei,u,Sij,t)®Rt®Bt) 

= {UieiUjej^{ei,u,Sij,t))®Rt®Bt. 

From formula (11) implies that (Uig/Ujg j ^(0i, u, , t)) C 
Safe't for any t £ [T 3- 1] and (Uig/ Ujgj ^{di,u,aj,T)) C 
Goal'. Since Safe'^ is an Rt(BBt strengthening of Safe, it fol¬ 
lows from Definition 4 and (12) that Reach {Init, u, Adv, t) C 
Safe for all t G [T 3- 1] and Reach (/nit, u, Adw, T) C Goal. 
That is, u solves the generalized linear ARAC. □ 

We observe that if the approximated algorithm success¬ 
fully synthesize a control, the control solves the general¬ 
ized linear ARAC problem, no matter what value e > 0 
takes. Moreover, as the parameter e converges to 0, we have 
Uig/f?e(di), Ujgjf?e(aj) and C converge to the exact Init, 
Adv and Ctr, respectively. 

5.2 State-dependent Control 

In this section, we keep the same definition of Init, Adv 
and Ctr as in Section 4.1, however, we consider a variant of 
ARAC that allows the choice of control u to be depend on 
the initial state of the system. That is, we have to decide if 

y xo £ Init : 3 u G Ctr : 

(Atg[T+i]Reach( 2 ;o, u,t) C Safe) A Reach(xo, u, T) C Goal. 

(13) 

A solution to this generalized ARAC problem is a look-up 
table {{Xi,Ui)}i^i such that (i) the union Ut^iXi X Init 
covers the initial set, and (ii) for every xq £ Xt, u; is an 
admissible input such that the constraints in (13) hold. 

We present an Algorithm 2 to solve this problem and it 
uses Synthesis as an subroutine. If the algorithm succeeds, 
it returns a look-up table Tab which solves the above state- 
dependent variant of ARAC. 

The parameters Adv, Ctr, Safe, Goal, T are invariant in 
the algorithm, thus we omit it as arguments of Synthesis. 
The variable e is initialized as the diameter of the initial 


set Init (line 1). The subroutine Cover(/nit, e) in line first 
computes an e-cover {6i}ig/ of Init, and then append each 
9i with the parameter e. The set 5 stores all such pairs 
{9,e), such that the e-ball around 0 is yet to examined by 
the algorithm for Synthesis. For each ball Bi{9) in 5, the 
subroutine Synthesis is possibly called twice for both the 
ball Be{0) and the single initial state 8 to decide whether 
the Synthesis is successful, a failure, or whether further re¬ 
finement is needed. 


Algorithm 2: TableSynthesis 

1 e •^Dia(Jmt); 

2 S Cover (/nit, e); 

3 Tab-^ 0; 

4 while 5 7 ^ 0 For {9, e) £ S do 

5 I S S/{{9, e)}; 

6 if Synthesis{Be{9)) returns u G Ctr then 

7 I Tab<—TabU{(Se(0), u)}; 

8 else if Synthesis{Be{9)) failed then 

9 I return (0,Failed) 

10 else 

11 I 5 •<—5 U Cover(/nit n f3e(0), e/2); 

12 end 

13 end 

14 return (Tab, Success) 


Theorem 7. //TableSynthesis returns (Tab,Success), then 
Tab solves the state-dependent ARAC. Otherwise if Ta¬ 
bleSynthesis returns (6,Failed), then there is no solution for 
initial state 9. 

Proof. We first state an invariant of the while loop which can 
be proved straightforwardly through induction. For any iter¬ 
ation, suppose Tab= {(Se^ (6»i), Ui)}ig/ and S = {0', e'jjgj 
are the valuations of Tab and 5 at the beginning of the it¬ 
eration. Then we have (UigiSe; (6^;)) U {Uj^jB^i, {9'j)) 0 Init. 

Suppose TableSynthesis returns (Tab,Success) with Tab= 
{{B,,{ei),ui)}i^i. From line 4, 5 = 0. From the loop 
invariant, we have Uigi/?e;(0i) 0 Init. Moreover for any 
{Bi:{9),u) GTab, from line 6 and Theorem 5, for any xq £ 
Bf:{9), u is an admissible input such that constraints in ?? 
hold. Thus Tab solves the state-dependent ARAC. 

Otherwise suppose TableSynthesis returns (0,Failed). From 
line 8 and Theorem 5, there is no admissible u solve the 
ARAC from 9. □ 

The Algorithm 2 is sound, that is, if the algorithm termi¬ 
nates, it always returns the right answer. For general sets of 
Adv and Ctr the approach from Section 5.1 can be combined 
Algorithm 2 to get state dependent (but u and a oblivious) 
controllers. 

6. IMPLEMENTATION AND EXPERIMEN¬ 
TAL EVALUATION 

We have implemented the algorithm Synthesis in a pro¬ 
totype tool in Python. The optimization problem presented 
in Lemma 3 is solved by a second-order cone programming 
solver provided by package CVXOPT [9]. The quantifier- 
free SMT formula (8) is solved by Z3 solver [10]. In Sec¬ 
tion 6.1 and 6.2, we present the implementation of the basic 






Figure 2: Sampled Trajectories of Helicopter Auto-pilot. 
Safety and winning conditions hold. 


algorithm synthesis, show an example in detail, present the 
experiment results and discuss the complexity of the algo¬ 
rithm. In Section 6.3 and 6.4, we present several different 
applications of Synthesis. 

6.1 Synthesizing Adversary Resistant Controllers 

We have solved several linear ARAC problems for a 16- 
dimensional helicopter system (as described in 3) and a 4- 
dimensional vehicle. 

We illustrate an instance of the synthesis of the helicopter 
auto-pilot for time bound T = 9 in Figure 2. The state 
variables, control input variables and the constraint Ctr of 
the system are listed in Table 1. We model an actuator 
intrusion attack such that the control input is tempered by 
an amount of at at each time t G [T]. The total amount of 
spoofing is bounded by a budget fe = 1. 

A control u = {ut}t£[T] is synthesized by Synthesis. We 
randomly sample adversary inputs a with X]t6[T] ll®‘ll^ ~ 
and visualize the corresponding trajectories with control u 
in Figure 2. 

Besides the Helicopter model, we studied an discrete vari¬ 
ation of the navigation problem of a 4-dimensional vehicle, 
where the states are positions and velocities in Cartesian 
coordinates, and the controller and adversary compete to 
decide accelerations in both direction. 

The experimental results for different instances are listed 
in Table 2, where the columns represent (i) the model of the 
complete system, (ii) the dimension of state, control input 
and adversary input vectors, (iii) the time bound, (iv) the 
length of formula representing Safe and number of obstacles, 

(v) the length of formula representing Goal and Ctr, (vi) the 
length of the quantifier-free formula in (2), (vii) the synthesis 
result, and (vii) the running time of the synthesis algorithm. 

From the result, we observe that the algorithm can synthe¬ 
size controller for lower dimensional system for a relatively 
long horizon (320) for reasonable amount of time. For higher 
dimensional system (16-dimensional), the approach scales to 
an horizon T = 15. The run time of the algorithm grows ex¬ 
ponentially with the time bound T. By Comparing row 2-4, 
we observe that the runtime grows linearly with the number 
of obstacles. 

6.2 Discussion on Complexity of Safety Con¬ 
straints 

Let the quantiher-free constraints in (2) be specified by an 
CNF formula (j>, where each atomic proposition is a linear 
constrain. We denote \<j)\ as the length of the CNF formula 


which is the number of atomic propositions in (j). Notice 
that if we convert an CNF formula into a form of union of 
polytopes, the size of the formula can grow exponentially. 
Similarly, let CNF formula 4>safe, 4‘Goai and 4>ctr specify the 
constraints Safe, Goal C X and Ctr C U'^. It can be derived 
from (2) that \(j)\ = T\(j)safe\ + \<t'Goai\ + |<(>ctr|. If fixed the 
length of the projection of 4>ctr on control ut for each t, that 
is, we assume the controller constraints at different times are 
comparably complex, then |(()ctr| grows linear with the time 
bound T. Suppose the length of {cfsafel, \<j>Goai\ are constant, 
then the length of <j) is linear to the time bound T. 

The length of <j>Safe is a function of the number and com¬ 
plexity of obstacles. Suppose that the safe region Safe' is 
obtained by adding an polytopic obstacle O = {x G R" : 
Ax < 6} to a safe region Safe. One measure of complexity 
of the obstacle is the number of rows of the matrix A. Then, 
the resulting safe region is Safe' = Safe\0, which implies 

f^Safe' — f^Safe A fAx Rj — f^Safe A (Vi AtX ^ 5), 

where At is the row of A. Therefore the length of (pSafe 
increases linearly with the number of obstacles and the num¬ 
ber of faces in every obstacle. 

In the experiments, we observe that the running time of 
Z3 to solve the SMT formula varies on a case by case basis. 
The size of obstacles, the volume of the obstacle-free region 
and the length of significant digits of entries the constraints 
and dynamic matrices also affect the running time. 

6.3 Vulnerability Analysis of Initial States 

Using Synthesis, we can examine the vulnerability of ini¬ 
tial states to attackers. Fixing a controller constraint Ctr, a 
time bound T, safety condition Safe and winning condition 
Goal, for each initial state Init, there exists a maximum crit¬ 
ical budget b,nfc of the adversary Adv, such that beyond this 
budget, the problem becomes infeasible. The lower the 
for an initial state is, it is vulnerable to a weaker adversary. 
The maximum budget can be found by a binary search on 
the adversary budget with Synthesis. 

We examine the vulnerability of an instance of the 4- 
dimensional autonomous vehicle system. The result is il¬ 
lustrated in Figure 3, where the box at the bottom repre¬ 
sent the Goal, the red regions represent the obstacle whose 
complement is the Safe, the green-black on the top region 
is the Init. The black regions are most vulnerable with 
hmfc = 0 and the lightest green region are least vulnerable 
with bmcc = 1.8. We see that the region closer to an obstacle 
are darker as an adversary with relatively small budget (6) 
can make the vehicle run into an obstacle. We also observe 
that the dark regions are shifted towards the center since the 
obstacles are aggregated at the center of the plane. Avoiding 
them may cause a controller run out of the time bound. 

6.4 Attack Synthesis 

The Synthesis subroutine can also be used to generate 
attacks by swathing the roles of the adversary and the con¬ 
troller. In this section, we synthesize adversarial attacks to 
the 4-dimensional vehicle such that the system will be driven 
to unsafe states in a bounded time T. That is, for a state 
X G X, we decide whether 


3 a G Adv V u G Ctr : 
(Vt6[T]C(*,u, a,t) G Unsafe). 


( 14 ) 







Complete System 

ff x,u,a 

T 

1 4^Safe 1 ; ^Obs 

\f>Goal\, \ 4>Ctr\ 


Result 

Run Time (s) 



40 

16, 3 

4, 160 

804 

unsat 

2.79 



80 

20, 4 

4, 320 

1924 

sat 

16.49 



80 

44, 10 

4, 320 

3844 

sat 

35.22 

Vehicle 

4,2,2 






80 

84, 20 

4, 320 

7044 

sat 

53.8 



160 

20, 5 

4, 640 

3844 

sat 

91.78 



320 

24, 6 

4, 1280 

8964 

sat 

532.5 



5 

18, 3 

6,40 

136 

sat 

1.2 



5 

24, 4 

6,40 

166 

unsat 

0.61 



7 

24, 4 

9, 56 

213 

sat 

8.2 

Helicopter 

16,4,4 

9 

36, 6 

6 , 72 

402 

sat 

24.5 



12 

24,4 

6 , 96, 

338 

sat 

60.6 



15 

24, 4 

6 , 96, 

576 

sat 

158.8 



18 

24, 4 

10, 96, 

640 

- 

- 


Table 2: Experimental results for Synthesis 



Figure 3: Vulnerability Analysis of Initial States. Adversary 
may cause the system to hit an obstacle or delay the time 
of reaching beyond T 


Notice that (14) is essentially the same as (2) by switching 
the roles of u and a, and negating Safe to get Unsafe. 

We suppose that the set of adversarial input Adv is a poly¬ 
topic set and the control Ctr = {u £ : X^teT 11^*11^ — 

is specified by budget b > 0. For general convex compact 
sets Ctr and Adv, one can come up with an under approxi¬ 
mated Adv as polytopic set and an over-approximated Ctr 
with budget b. As we discuss in Section 5.1, this approxi¬ 
mation is sound. 

We synthesize a look-up table {{Ti,ai)}i as the strategy 
of the adversary, such that (i) Ti C X, and (ii) for each state 
X £Ti, the corresponding adversary satisfies (14). During 
the evolution of the plant under controller, the adversary 
act only when the system reaches a state x £ Ti for some 
Ti in the look-up table, then the corresponding attack is 
triggered at x which breaks the safety of the system. 

The synthesis of attacks uses similar idea of creating cov¬ 
ers of the states as in TableSynthesis without refinements. 



Figure 4: Attack Generation. The darker a region is, a larger 
portion of velocity is vulnerable. If the vehicle visit a region 
near to an obstacle, it could survive only if its initial velocity 
is pointing outwards. 


Suppose the set of states A C is compact. An adversary 
first creates a uniform cover of the state space, then search 
for an attack for each cover. If the synthesis succeed and re¬ 
turns an attack a, then the cover is vulnerable and is stored 
in the look-up table of attacks paired with the attack a. 

A result of the synthesis is illustrated in 4, where the 
red boxes specify obstacles. The vulnerable covers, each 
of which is a subset of R^, are projected on the 2-D plane 
and visualized as blue regions, where the white region are 
not vulnerable to attackers. The darkness of a region corre¬ 
sponds to the number of vulnerable covers have projection in 
the region. That is, if the vehicle is in a dark region, a large 
portion of its velocity space is vulnerable under attacks that 
makes the system unsafe. A sample trajectory is captured 
by the green curve, where, as it enters light shadow region, 
its velocity does not fall into a vulnerable cover right away. 
As it approach further, it enters a vulnerable cover and an 
attack is triggered at the point with cross mark. 

7. CONCLUSION 

















We present a controller synthesis algorithm for a discrete 
time reach-avoid problem in the presence of adversaries. 
Specifically, we present a sound and complete algorithm for 
the case with linear time-varying dynamics and an adversary 
with a budget on the total L2-norm of its actions. The algo¬ 
rithm combines techniques in control theory and synthesis 
approaches coming from formal method and programming 
language researches. Our approach first precisely converts 
the reach set of the complete system into a composition of 
non-determinism from the adversary input and the choice 
of initial state, and an adversary-free trajectory with fixed 
initial state. Then we enhance the Safe and Goal conditions 
by solving a sequence of quadratic-constrained linear opti¬ 
mization problem. And finally we derive a linear quantiher- 
free SMT formula for the adversary-free trajectories, which 
can be solved effectively by SMT solvers. The algorithm is 
then extended to solve problems with more general initial set 
and constraints of controller and adversary. We present pre¬ 
liminary experimental results that show the effectiveness of 
this approach on several example problems. The algorithm 
synthesizes adversary-resilient controls for a 4-dimensional 
system for 320 rounds and for a 16-dimensional system for 
15 rounds in minutes. The algorithm is extended to analyze 
vulnerability of states and to synthesize attacks. 

Future Direction 

There are several interesting follow-up research topics. For 
example, the solution of linear ARAC can be used to solve 
adversary-free nonlinear avoid-reach problems, where the 
dynamics can be linearized along a nominal trajectory and 
the linearization error is modeled as adversary. 

We also planned to extend the approach to synthesize 
switched controller for infinite horizon by applying a sim¬ 
ilar approach as suggested in [25]. 

Another interesting direction is to precisely define a dual 
problem of the linear ARAC. Since reachability is dual to 
detectability, we envision that there exists a detectability 
type problem dual to ARAC, such that the adversary adds 
noise to the measurements. The question is then how well 
we can estimate whether the system is in unsafe state based 
on the noisy measurements. 
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